The author is director of technology for Frandsen Media, which includes Sandhill Media in Idaho Falls, Idaho; Cache Valley Media in Logan, Utah; and Canyon Media in St. George, Utah.
If you’ve been paying attention to the industry trades at all over the past decade or so, no doubt you’ve read about some major cybersecurity attacks on broadcast facilities.
The attacks include everything from ransomware attacks to STL and airchain hijacks — audio and metadata.
Following a breach, broadcasters often found themselves unable to access critical information, loss of the station’s audio or even worse, losing control of their signal entirely, replaced by obscenity-laden material on the air.
A recent series of attacks that originated this past Labor Day weekend seemed to be targeted at inexpensive audio codecs manufactured by a specific company and exposed on public IP addresses.
(Read Radio World’s separate coverage on the recent apparent Barix hacks.)
This is not a new development. It has happened several times in the past. While it’s true that manufacturers bear at least some of the fault here by not making their equipment more secure by default, most of the blame lies squarely on broadcasters for still not following common-sense cybersecurity practices.
Basic security practices
I, and many others in this industry, have been preaching the basics of cybersecurity for well over a decade now, but it feels at times like we are shouting at a brick wall.
The information is readily available, both through paid resources such as the excellent webinars produced by the Society of Broadcast Engineers and free resources produced by vendors.
I can somewhat understand the argument “I didn’t know,” but frequently that argument veers off into “it’s too difficult” or “it’s too expensive.”
Measures such as changing default passwords are simple and cost literally nothing. Applying updates to your equipment is also generally another low- or no-cost measure.
Depending on the type of equipment, critical security updates are often released at no cost.
That said, passwords and software patching are among the bare minimum tasks a broadcaster can perform to secure their infrastructure, and your devices are still subject to being compromised.
Public IP vulnerabilities
Another common mistake is to place critical broadcast infrastructure directly on a public-facing IP address.
In some cases, the IP address your ISP hands out may be public, but unless you’ve specifically requested an external IP, that is typically not the case.
There also seems to be a common misconception that humans are behind the attacks or that “I’m too small for anyone to target.”
While that may be true in some cases, the internet is flooded with “bots” continuously scanning for vulnerable systems. In fact, there is a search engine dedicated to exactly this purpose. The size of your operation doesn’t matter.
If your equipment can be seen directly on the public internet, it can be hacked.
Port forwarding pitfalls
Other broadcasters install a firewall, then they proceed to poke holes through it “for convenience.”
While there are a small number of exceptions, very seldom does a piece of broadcast equipment need a direct public IP address — or have its port forwarded through a firewall.
Instead, VPN-based tunnels and access control lists are the best-practice method for remote administration.
Recommendations
VPNs and access lists measures may sound complicated or expensive, but they don’t have to be.
Cybersecurity strategies can get quite elaborate, but a few additional simple measures beyond just changing passwords and hoping for the best can go a long way. Even the most basic firewall available from your local “big box” retailer will likely allow for establishing secure VPN connections.
I’ve become a fan lately of hardware from Ubiquiti Networks. For well under $200, they make a firewall that will allow configuring these secure tunnels with just a few clicks.
While I understand that times are tough, the truth is that if you can’t afford the less than $200 to secure your most critical infrastructure, you almost certainly cannot afford the consequences of a major cyberattack.
While there are no guarantees in terms of cybersecurity these days, we as broadcasters owe it to our listeners to go beyond the bare minimum.
